Computer network security platform

ABSTRACT

A computer system for managing security information for an organization includes a scanner execution module configured to automatically execute at least two scanners in a predetermined interval to analyze potential vulnerabilities of a computer environment. A vulnerability is acquired from the at least two scanners and stored in a data store. A user associated with the analyzed computer environment is determined based on the vulnerability stored in the data store, the user is notified of the vulnerability.

RELATED APPLICATIONS

This application claims the benefit of the filing date of U.S. Provisional Application No. 61/272,892, filed Nov. 16, 2009, titled “Computer Network Security Platform,” of John R. Maguire, incorporated in its entirety herein by reference.

FIELD

The present invention relates generally to computer security, and more particularly, to methods and systems for providing a centralized platform to manage computer security.

BACKGROUND

All information systems may have issues with cybersecurity, network security, insider threats, and general system security. Accordingly, there is a need to preserve security within an information system. “Security” may be defined to include three principles of an information system: (1) confidentiality; (2) integrity, and (3) availability.

SUMMARY

The Noblis ScanCenter™ is a web-based computer security platform configured for the coordination, execution and aggregation of security information. The security platform leverages multiple vulnerability detection methods and systems to provide a centralized platform for computer security. This platform enables an organization to protect the security of its computing systems, and provides a centralized platform to manage the organization's computer security. The platform automatically checks information systems in a routine, near-real time basis, using any number and any variation of commercially available or open source scanner technology to return a list of security problems (i.e., vulnerabilities).

Appropriate personnel may therefore receive notification of security problems in ongoing, near-real-time fashion. This ongoing, near-real time notification allows a security professional or other user to respond to an incident by quickly logging into the system to find a host with a given vulnerability and mitigate the vulnerability, thereby improving security.

The system may also analyze the overall performance of an information security program, including a combination of: the people that fix a problem, how quickly the problem was fixed, what types of problems exist, statistics regarding the number of problems compared to past points in time, the severity of problems, and so forth. These overall performance measures allow a security professional to improve the security of any information system.

Consistent with an embodiment of the present invention, a computer system for managing security information for an organization is disclosed. The computer system comprises a scanner execution module configured to automatically execute at least two scanners in a predetermined interval to analyze potential vulnerabilities of a computer environment associated with the organization; an acquisition module configured to acquire a vulnerability from the scanner execution module; a data store configured to store the vulnerability; a determination module configured to determine a user associated with the analyzed computer environment based on the vulnerability stored in the data store; and a user alert module configured to notify the user of the vulnerability.

Consistent with another embodiment, a computer-implemented method for managing computer security is disclosed. The method comprises automatically executing at least two scanners in a predetermined interval to analyze potential vulnerabilities of a computer environment associated with an organization; acquiring a vulnerability from the at least two scanners; storing the vulnerability in a data store; determining a user associated with the analyzed computer environment based on the vulnerability stored in the data store; and notifying the user of the vulnerability.

Consistent with yet another embodiment, a computer system for managing security information for an organization is disclosed. The system comprises a digital credential module configured to authenticate a user associated with the organization; an asset assignment module configured to assign a security responsibility to the user; a user personalization module configured to specify preferences for the user; a scanner execution module configured to automatically execute at least two scanners in a predetermined interval to analyze security issues of a computer environment; a user alert module configured to notify the user of a security issue received from one of the two scanners; a user engagement module configured to receive a status note related to the security issue, after the notification by the user alert module; and a security metric module configured to issue a report on the security issue.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram of components in an exemplary security platform system consistent with an embodiment of the present invention;

FIG. 2 is a flow diagram of an exemplary process to coordinate, execute, and aggregate information security information consistent with an embodiment of the present invention;

FIG. 3 is a flow diagram of an exemplary process to enroll and authenticate a user of a security system consistent with an embodiment of the present invention;

FIGS. 4-9 illustrate exemplary user interface displays consistent with an embodiment of the present invention; and

FIG. 10 is a block diagram of an exemplary data processing system that may be used to implement embodiments consistent with principles of the invention.

DETAILED DESCRIPTION

Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. Wherever possible, the same reference numbers will be used throughout the drawings to refer to the same or like parts.

Cybersecurity, network security, insider threats, and general system security are growing threats to information systems all over the world. A web-based computer security platform consistent with embodiments of the present invention provides a centralized and easily accessible platform for computer security. The platform may automatically scan computer environments using an interval set by a user, with any number and any variation of scanner technology, to return a set of vulnerabilities. Appropriate personnel are then able to receive notification of security problems in an ongoing, near real-time fashion, which in turn enables the ongoing, near real-time mitigation of vulnerabilities.

FIG. 1 illustrates an exemplary computer security platform system consistent with an embodiment of the present invention. Computer security platform systems, such as the one shown, may be used to implement process 200, described in more detail below with respect to FIG. 2.

Environment 105 may be any information system, computer program, or other computing environment that may execute one or more services, programs, enterprise applications, operating systems, platforms, etc. Scanners 110 and 115 may be any technology that probes environment 105, and returns a list of problems with security. Examples of scanners 110 and 115 include commercially available products such as NESSUS™, HP WebInspect software, or open source software such as Nmap.

In one embodiment, scanners 110 and 115 may acquire data from environment 105 and may send the data to computer system 120. Computer system 120 may automatically process data from scanners 110 and 115, along with data from other sources.

Computer system 120 may include Digital Credential Module 130, Asset Assignment Module 140, User Personalization Module 150, User Alert Module 160, Security Metric Module 170, and Security Delta Module 180. Digital Credential Module 130 may be configured to authenticate a user's personal information using, for example, Personal Identity Verification (PIV) and a DoD Common Access Card (CAC). Asset Assignment Module 140 may assign a security responsibility to a user for an asset (e.g., a software application such as a web server), and may also inventory system capability.

User Personalization Module 150 may allow a user to specify preferences, which may be stored between user sessions. User Alert Module 160 may notify specific users of events, e.g., if a vulnerability is detected in an asset that has been associated with a specific user, that user may be notified of that vulnerability. For example, if a security issue is detected in a web server that is associated with John Smith, then Mr. Smith may be notified of that security issue.

Security Metric Module 170 may issue a report on a security issue, which may in some embodiments satisfy federal requirements, regulatory requirements, legal requirements, etc. For example, Security Metric Module 170 may generate reports to satisfy Federal Agency requirements under the Federal Information Security Management Act (FISMA). Security metrics may be used to report to management or other users regarding the overall effectiveness of a security program. The reports or metrics may provide statistics, such as the average time required to mitigate a high risk vulnerability, or the number of vulnerabilities mitigated within a given period of time, for example. Security Metric Module 170 may limit certain reports to a specific period of time. For example, a report may list all vulnerabilities mitigated since the beginning of the year, the beginning of the month, etc.

Security Delta Module 180 may display a change in a security environment for a specified time period, such as what has changed in the security environment of an organization since a previous reporting period. For example, security delta module 180 may issue a report stating that 30 days ago, environment 105 had 10 high risk vulnerabilities; 15 days ago, environment 105 had 19 high risk vulnerabilities; and yesterday, environment 105 had only 4 high risk vulnerabilities. Such data may prove useful for security professionals, who need the ability to compare two points in time for the security state of an environment. Examples of reports on a security issue and changes in a security environment are illustrated and described in more detail with respect to FIGS. 4-6.

One skilled in the art will understand that the system of FIG. 1 is an example of one embodiment consistent with the invention, and it may have parts, modules, hardware components, or software components added, deleted, reordered, or modified without departing from principles of the invention. For example, modules 170 and 180 may be combined, module 130 could be deleted, or any number of additional scanners could be added. As other examples, scanners 110 and 115 could be distributed throughout an enterprise, inside environment 105, or across separate networks.

FIG. 2 is a flow diagram of an exemplary process 200 that may be used to coordinate, execute, and aggregate information security information consistent with an embodiment of the present invention. As shown in FIG. 2, process 200, which may be implemented using a computer system, automatically executes two or more scanners in a predetermined interval to analyze potential vulnerabilities of an environment (step 210). The predetermined interval may be chosen by a user, and may be any interval (e.g., hour, day, year, month, week, first Friday of the month, etc.). A user may modify the predetermined interval at any time.

While automatically executing, scanners 110 and 115 may probe environment 105 (e.g., any information system), and discover what assets (e.g., applications) are running on those environments. Scanners 110 and 115 may probe environment 105 with no prior knowledge of environment 105. Scanners 110 and 115 may also check environment 105 for known vulnerabilities. For example, if scanner 110 finds environment 105 is running a web server, scanner 110 may then check the web server to determine which web server manufacturer is running. As an example, if it is an Apache™ web server, scanner 110 may check for known vulnerabilities of the Apache™ web server.

In addition to scanning environment 105 for potential vulnerabilities, scanners 110 and 115 may also scan environment 105 based on an expected configuration of the environment, e.g., what the environment is expected to look like. For example, every federal information system may be required to have an approved security baseline. Before the federal information system goes into operation, developers may specify which specific services should run on each machine, and a senior official may authorize each machine to operate. If changes are requested, the system may have to go through a government change management process, for example to assess the impact of each change on the system, to authorize each change, etc. When scanning, therefore, scanners 110 and 115 may also scan an environment for applications that are not within the specified security baseline. For example, if a scanner detects a web server running where there should be none (e.g., because a web server is not authorized), process 200 may detect that anomaly and treat it as a vulnerability. In this example, the web server itself may have no existing vulnerabilities, but the presence of the web server itself was not authorized for that particular government environment. Accordingly, the presence of the web server may be treated as a vulnerability.

Next, computer system 120 acquires scan data from the scanners, e.g., data regarding vulnerabilities on environment 105 (step 220). A vulnerability in a system may be described as the combination of a host, a port on that host, a protocol, and a security issue reported by a scanner to be present on a specific combination of host, port, and protocol used for access.

Process 200 incorporates the acquired data into a security platform on the system (e.g., ScanCenter™), for example by storing the acquired data in a data store (step 230). Computer system 120 may correlate similar results from different scanners, for instance using a vulnerability correlation module. For example, different scanners may use different terms, such as “critical” or “high risk,” to describe the same vulnerability. To correlate these terms and to determine if the terms refer to the same vulnerability, computer system 120 may use a unique, common identifier that is publicly searchable by information security professionals to identify the specific vulnerability (e.g., Common Vulnerabilities and Exposures (CVE®)). In other instances, computer system 120 may correlate results using identifiers from a host, a protocol, a port, a scanner, and a unique identification number from a scanner.

Next, process 200 determines a user associated with the analyzed environment, based on the vulnerability and other information stored in the data store (step 240). For example, computer system may determine that “IP Address 10.121.1.3” is assigned to “John Smith.” An example of an asset list that may be used to determine a user associated with a vulnerability is illustrated and described in more detail below with respect to FIG. 7.

Process 200 then notifies the identified user of the vulnerability (step 250). Notification may be made by various modes, for example, via an e-mail, a phone call, a voice message, a mobile phone message, or a text message. The notification may include an identification number for the environment and the scanner, a risk level, a status, a summary of the vulnerability, a detailed description of the vulnerability, advice on how to fix the vulnerability, the impact of the vulnerability on the confidentiality, integrity, and/or availability of the environment, etc. A notification may state, for example:

Vulnerability Details

-   -   ID: 1657     -   Scanner Reference ID: 24907     -   Found on: 10.122.151.48     -   Risk: High     -   Status: Open     -   Synopsis: The remote web server uses a version of PHP that is         affected by multiple flaws; Description: According to its         banner, the version of PHP installed on the remote host is older         than 5.2.1. Such versions may be affected by several issues,         including buffer overflows, format string vulnerabilities,         arbitrary code execution, and clobbering of super-globals.     -   Solution: Upgrade to PHP version 5.2.1 or later.

As another example, if a policy exists in which all vulnerabilities that are classified as “high risk” should be mitigated within thirty days of detection, and if twenty-five days have passed since initial detection, the system may notify a user that he or she has five days remaining in which to mitigate that issue. After users are notified of vulnerabilities, users may have the ability to enter notes, for example about the status of mitigation. These notes may be recorded as part of an official record. This capability engages users and makes them part of an overall security program. In certain embodiments, a user may be required to log into computer system 120 to access the notification, such as through a user authentication process described in more detail below with respect to FIG. 3.

Process 200 may repeat, for example, at the next interval, and may terminate after a specified number of intervals, a specified time period, may run until a user terminates the process, etc. One skilled in the art will understand that the process of FIG. 2 is an example of one embodiment consistent with the present invention, and it may have steps added, deleted, reordered, or modified without departing from principles of the invention. For example, steps 220 and 230 may be combined, or steps 210 and 250 may be deleted.

User Enrollment, Authentication and Authorization Framework

In some embodiments, the system may support government issued digital credentials such as Personal Identity Verification (PIV) (HSPD-12) and DoD Common Access Cards (CAC) for user authentication, including cryptographic tokens to authenticate users.

Systems consistent with embodiments of the invention may also include environments (e.g., government systems) where there is no route or administrative access to the environment. In those environments, as a scanner runs on an interval, it may encrypt scan results and cipher the scan results with strong cryptography. The scanner may then send (e.g., via email) the scan results out of the environment to preserve the confidentiality and integrity of the scan results. Alternatively, scanners may output results out of the environment, and a user may manually take the results and manage the results in a data store outside of the environment.

Systems consistent with embodiments of the invention may also include a robust Role Based Access Control (RBAC) framework in which arbitrary roles may be created to support local working and authorization norms. For example, user authentication may be handled by a digital certificate presented by a user and validated by a web server via out-of-band communication with a certificate issuer. An enrollment and authorization framework is described in more detail with respect to FIG. 3 below.

FIG. 3 is a flow diagram of an exemplary process 300 to enroll and authenticate a user into a security system, consistent with an embodiment of the present invention. In certain embodiments (not shown), a user, for example a user with the role of “Sponsor,” may sponsor another user into the system by adding the new user's personal information, such as name, email address, etc., as well as their level of authorization—what they will be entitled to do on the system once their account is active. As shown in FIG. 3, when a new user is added, a system implementing process 300 sends an invitation to the new user (step 310), for example to the new user's email address provided during sponsorship. Next, the enrollment function of the security platform (e.g., ScanCenter™) is made available to the new user (step 320). In certain embodiments, the invitation is an email containing some background text about the enrollment process as well as a “nonce” and a hyperlink to the enrollment function on the security platform. Once the user clicks on the hyperlink, he or she is taken to the enrollment function on the security platform (which may, in certain embodiments, use client-side certificate authentication).

The process verifies the credentials of the new user (step 330), and assigns applicable roles to the new user (step 340). For example, in one embodiment consistent with the present invention, the system implementing process 300 may check the new user's credentials, for example using Digital Credential Module 130 shown in FIG. 1, to ensure that the credentials have not been revoked by their issuer, and the new user may provide the nonce to the system. In this embodiment, enrollment is complete if the nonce matches the local value. The new user is added to the local authorization database and assigned applicable roles, which his or her sponsor may have previously provided to the system.

Asset Management

In certain embodiments, a system implementing process 200 may generate manager friendly graphs or other aids to help assist with program decisions, such as deciding which issues to address first, or, given a limited amount of time, deciding which issues to fix in order to provide the greatest security benefit. In certain embodiments, the system may show a security manager what has changed in the environment since the last reporting period. This functionality may be implemented by a Management Dashboard, which may indicate, for example, the number of new vulnerabilities detected during a specified time period.

FIG. 4 illustrates an exemplary user interface display consistent with an embodiment of the present invention for generating a Management Dashboard. Computer system 120 may present an “Environment 30 Day Vulnerability Trend' as shown in FIG. 4, which may provide trend data related to the number of vulnerabilities in the past 30 days. As shown in FIG. 4, system 120 may also present the “Top 10 Vulnerabilities” and “Key Statistics,” such as the Weekly Average of new “low” risk vulnerabilities, along with other data related to current system changes and updates.

FIG. 5 illustrates an exemplary user interface display consistent with an embodiment of the present invention for displaying a list of vulnerabilities. Computer System 120 may present a list of “Recent Vulnerabilities,” a “Remediation Queue,” (i.e., a list of assets to fix) and a list of “Assets Assigned to You.” Certain assets in the list, may be boxed, highlighted, or otherwise differentiated from the other assets to indicate the presence of a “high” risk, for example.

If a user selects or clicks on a specific asset, computer system 120 may present more details regarding the asset. FIG. 6 illustrates an exemplary user interface display consistent with an embodiment of the present invention for displaying asset details. As shown in FIG. 6, “Asset Details” may include an “IP address,” a “Type” of asset, a “Description” of the asset, a “Business Value,” a “First Seen” date, a “Last Seen date,” “Contact” information for the asset, etc. Computer system 120 may also present a “Daily Trend” graph showing the number of vulnerabilities on a particular host compared to an average environment. As shown in FIG. 5, a list of “Open Items Affecting This Asset” may present a user with a list of vulnerabilities, their associated risks, their detection date, age, last seen date, source, port, protocol, service, scanner reference identification number, etc. The information displayed in FIGS. 4-6 may be managed, for example, by User Alert Module 160.

Additionally, a user may have the ability to specify preferences that are remembered between sessions, for example using User Personalization Module 150. In certain embodiments, users are able to view only those assets that have been assigned to them.

FIG. 7 illustrates an exemplary user interface display consistent with an embodiment of the present invention for managing asset details. An administrator may utilize the user interface shown in FIG. 7 to view and edit multiple assets from an environment. As shown in FIG. 7, the management “Asset List” may display a list of “IP Address,” a trend graph, a “Low,” “Med,” “High,” and Total” number of risk levels, “First Seen” and “Last Seen” dates, and an “Assigned to” list of people to whom each asset is assigned. The information displayed in FIG. 7 may be managed, for example, by Asset Assignment Module 140.

ISSO/ISSM Roles

In some embodiments, process 200 may exclude certain vulnerabilities from display or from notification based on user selections. For example, if the cost or risk of change in patching a software hole in an older satellite system is greater than the possibility of having the vulnerability exploited, a user may choose to “exclude,” “override” or “accept” the risk.

In one embodiment, the security platform may provide for users who have the role of Information System Security Officer (“ISSO”) or Information System Security Manager (“ISSM”). These and other users may have the ability to exclude certain vulnerabilities (e.g., “false positives” or “accepted risks”) from display or inclusion in various reports or workflows. In certain embodiments, an exclusion may be permanent, or for a limited time period. In such a way, a system may learn which results to display for each user.

FIG. 8 illustrates an exemplary user interface display consistent with an embodiment of the present invention for excluding assets. As shown in FIG. 8, an administrator may utilize a “Specific Exclude List”, i.e., a list of assets excluded by or for specific users, along with a “Global Exclude List”, i.e., a list of assets excluded for all users. The information displayed in FIG. 8 may be managed, for example, by Asset Assignment Module 140.

The ISSO or ISSM may also have the ability to adjust the “severity” or “risk” rating of a specific vulnerability either up or down based on factors such as the local environment and norms. For example, a vulnerability that would otherwise be classified as low risk, but that is present in a host that controls a nuclear reactor, might be upgraded to “medium” risk simply because of the significant amount of risk that the local environment and conditions add.

The ISSO or ISSM may also have the ability to invite new users, view and edit a list of active users, and view and edit a list of users waiting to be enrolled. FIG. 9 illustrates an exemplary user interface display consistent with an embodiment of the present invention for managing users. As shown in FIG. 9, the ISSO or ISSM may display “Current Active Users,” “Current Inactive Users,” a “Current Enrollment Queue,” “Invite New User,” etc. The ISSO or ISSM may have the ability to assign security responsibility to specific users for specific assets. This ability may also be used as a system inventory capability, and may be used for certification, accreditation, and other policy activities.

A web-based computer security system consistent with embodiments of the present invention provides an accessible, central, and manageable platform for mitigating vulnerabilities in information systems. The platform may automatically scan computer environments using on a regular interval, using any number of commercially available and/or open source scanners. Appropriate personnel are then able to receive notification of security problems in an ongoing, near real-time fashion. As a result, the computer security system allows for the ongoing, near real-time mitigation of vulnerabilities in all kinds of information systems.

One skilled in the art will recognize that the graphs, data, and information shown in FIGS. 4-9 and in the other figures in this application are merely for illustration, and that graphs and information in the figures may be added, deleted, or modified.

FIG. 10 is a block diagram of an exemplary data processing system that may be used to implement embodiments consistent with principles of the invention. The components and arrangement, however, may be varied within principles of the present invention. Data processing or computing system 1000 includes a number of components, such as a central processing unit (CPU) 1005, a memory 1010, an input/output (I/O) device(s) 1025, a nonvolatile storage device 1020, and a database 1030. System 1000 can be implemented in various ways. For example, an integrated platform (such as a workstation, personal computer, laptop, etc.) may comprise CPU 1005, memory 1010, nonvolatile storage 1020, and I/O devices 1025. In such a configuration, components 1005, 1010, 1020, and 1025 may connect through a local bus interface and access database 1030 (shown implemented as a separate database system) via an external connection. This connection may be implemented through a direct communication link, a local area network (LAN), a wide area network (WAN) and/or other suitable connections. System 1000 may be standalone or it may be part of a subsystem, which may, in turn, be part of a larger system.

CPU 1005 may be one or more known processing devices, such as a microprocessor from the Pentium™ family manufactured by Intel™ or the Turion™ family manufactured by AMD™. Memory 1010 may be one or more storage devices configured to store information used by CPU 1005 to perform certain functions related to embodiments of the present invention. Storage 1020 may be a volatile or non-volatile, magnetic, semiconductor, tape, optical, removable, nonremovable, or other type of storage device or computer-readable medium. In one embodiment consistent with the invention, memory 1010 includes one or more programs or subprograms 1015 loaded from storage 1020 or elsewhere that, when executed by CPU 1005, perform various procedures, operations, or processes consistent with the present invention. For example, memory 1010 may include a security management program that manages user security roles, an asset assignment program that assigns security responsibilities to specific users for specific assets, and a web-based software platform that links the other programs and allows them to use a common database, provides a common user interface, performs basic bookkeeping tasks, manage an organization's information security, and provide user guidance. Memory 1010 may also include other programs that perform other functions and processes, such as programs that provide communication support, Internet access, etc.

Methods, systems, and articles of manufacture consistent with the present invention are not limited to separate programs or computers configured to perform dedicated tasks. For example, memory 1010 may be configured with a program 1015 that performs several functions when executed by CPU 1005. For example, memory 410 may include a single program 1015 that performs the functions of a security management program and an asset assignment program. Moreover, CPU 1005 may execute one or more programs located remotely from system 1000. For example, system 1000 may access one or more remote programs that, when executed, perform functions related to embodiments of the present invention.

Memory 1010 may be also be configured with an operating system (not shown) that performs several functions well known in the art when executed by CPU 405. By way of example, the operating system may be Microsoft Windows™, Unix™ Linux™, an Apple Computers operating system, Personal Digital Assistant operating system such as Microsoft CE™, or other operating system. The choice of operating system, and even to the use of an operating system, is not critical.

I/O device(s) 1025 may comprise one or more input/output devices that allow data to be received and/or transmitted by system 1000. For example, I/O device 425 may include one or more input devices, such as a keyboard, touch screen, mouse, and the like, that enable data to be input from a user, such as security preferences, notes about the status of mitigation, etc. Further, I/O device 1025 may include one or more output devices, such as a display screen, CRT monitor, LCD monitor, plasma display, printer, speaker devices, and the like, that enable data to be output or presented to a user. I/O device 1025 may also include one or more digital and/or analog communication input/output devices that allow computing system 1000 to communicate with other machines and devices, such as scanners 110 and 115. System 1000 may input data from external machines and devices and output data to external machines and devices via I/O device 1025. The configuration and number of input and/or output devices incorporated in I/O device 1025 are not critical.

System 1000 may also be communicatively connected to a database 1030. Database 1030 may comprise one or more databases that store information and are accessed and/or managed through system 1000. By way of example, database 1030 may be an Oracle™ database, a Sybase™ database, or other relational database. Database 1030 may include, for example, data and information related to vulnerabilities, user preferences, mitigation statuses, security metrics, user enrollment information, etc. Systems and methods of the present invention, however, are not limited to separate databases or even to the use of a database.

Other embodiments will be apparent to those skilled in the art from consideration of the specification and practice of the examples disclosed herein. It is intended that the specification and examples be considered as exemplary only. 

1.-20. (canceled)
 21. A computer system for managing security information for an organization, comprising: one or more memories storing instructions; and one or more processors configured to execute the instructions to: receive scan data from at least two scanners; correlate the scan data to determine one or more vulnerabilities; receive an input indicating that a vulnerability from the one or more vulnerabilities is an excluded vulnerability, the excluded vulnerability being excluded from a report based on a risk rating of the vulnerability; and generate a report that includes the one or more vulnerabilities but not the excluded vulnerability.
 22. The computer system of claim 21, wherein the one or more processors are further configured to execute the instructions to: generate a user interface that displays vulnerability data.
 23. The computer system of claim 22, wherein the one or more processors are further configured to execute the instructions to: receive an input through the user interface from a user, the input specifying one or more preferences of the user that are remembered between sessions.
 24. The computer system of claim 22, wherein the one or more processors are further configured to execute the instructions to: enable a user to exclude, override, or accept a risk associated with one of the one or more vulnerabilities through the user interface.
 25. The computer system of claim 22, wherein the one or more processors are further configured to execute the instructions to: enable a user to exclude, through the user interface, one of the one or more vulnerabilities from display or inclusion in the report permanently.
 26. The computer system of claim 22, wherein the one or more processors are further configured to execute the instructions to: enable a user to exclude, through the user interface, one of the one or more vulnerabilities from display or inclusion in the report for a time period.
 27. The computer system of claim 22, wherein the one or more processors are further configured to execute the instructions to: enable a user to adjust the risk rating of one of the one or more vulnerabilities through the user interface.
 28. A computer-implemented method for managing computer security, the method comprising the following operations performed by at least one processor: receiving scan data from at least two scanners; correlating the scan data to determine one or more vulnerabilities; receiving an input indicating that a vulnerability from the one or more vulnerabilities is an excluded vulnerability, the excluded vulnerability being excluded from a report based on a risk rating of the vulnerability; and generating a report that includes the one or more vulnerabilities but not the excluded vulnerability.
 29. The computer-implemented method of claim 28, further comprising: generating a user interface that displays vulnerability data.
 30. The computer-implemented method of claim 29, further comprising: receive an input through the user interface from a user, the input specifying one or more preferences of the user that are remembered between sessions.
 31. The computer-implemented method of claim 29, further comprising: enabling a user to exclude, override, or accept a risk associated with one of the one or more vulnerabilities through the user interface.
 32. The computer-implemented method of claim 29, further comprising: enabling a user to exclude, through the user interface, one of the one or more vulnerabilities from display or inclusion in the report permanently.
 33. The computer-implemented method of claim 29, further comprising: enabling a user to exclude, through the user interface, one of the one or more vulnerabilities from display or inclusion in the report for a time period.
 34. The computer-implemented method of claim 29, further comprising: enabling a user to adjust the risk rating of one of the one or more vulnerabilities through the user interface.
 35. A nontransitory computer readable medium encoded with instructions that, when executed by at least one processor, cause the at least one processor to perform a method for managing security information for an organization, the method comprising: receiving scan data from at least two scanners; correlating the scan data to determine one or more vulnerabilities; receiving an input indicating that a vulnerability from the one or more vulnerabilities is an excluded vulnerability, the excluded vulnerability being excluded from a report based on a risk rating of the vulnerability; and generating a report that includes the one or more vulnerabilities but not the excluded vulnerability.
 36. The nontransitory computer readable medium of claim 35, the method further comprising: generating a user interface that displays vulnerability data.
 37. The nontransitory computer readable medium of claim 36, the method further comprising: receive an input through the user interface from a user, the input specifying one or more preferences of the user that are remembered between sessions.
 38. The nontransitory computer readable medium of claim 36, the method further comprising: enabling a user to exclude, override, or accept a risk associated with one of the one or more vulnerabilities through the user interface.
 39. The nontransitory computer readable medium of claim 36, the method further comprising: enabling a user to exclude, through the user interface, one of the one or more vulnerabilities from display or inclusion in the report permanently.
 40. The nontransitory computer readable medium of claim 36, further comprising: enabling a user to exclude, through the user interface, one of the one or more vulnerabilities from display or inclusion in the report for a time period. 